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A cryptographic algorithm is proposed based on fully quantum mechanical keys 
and ciphers. Encryption and decryption are carried out via an appropriate mea- 
surement process on entangled states as governed by a quantum mechanical, asym- 
metrical and dynamical public key distribution. The use of public keys leads to 
a high availability of our scheme, while their quantum nature is shown to ensure 
unconditional security of the proposed algorithm. 
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In quantum cryptography [T[| messages are rendered unintelligible to unauthorized users 
via quantum mechanical means, i.e. a quantum algorithm. A cryptographic algorithm in 
general describes the encryption and decryption mechanisms while the keys involve all nec- 
essary additional information. So far, many aspects in quantum cryptography have been 
studied such as quantum key distributions |2|, |3|, f|, quantum secret sharing |J, quantum 
identity verification j7|, quantum bit commitment and quantum multi-party computation 
||, quantum information hiding ||, and information theory for quantum cryptography 
T0|1 . Present-day quantum cryptography involves quantum keys and classical cryptosys- 



tems, which are both well understood and implemented experimentally |lT| . The classical 
cryptosystem can be categorized as classic symmetrical key cryptosystem (SKC) and classic 
asymmetrical i.e. public key cryptosystem (PKC) [Q. The characteristic of the SKC is 
that encryption and decryption use the same key (called symmetrical key), which are kept 
secret by the communicators. The main feature of the PKC is that the public key associated 
with a private key can be published. By the public key one can not in principle obtain any 
information about the private key. Since the holder may publicly announce the public key, 
everyone who wants to communicate with the holder can easily find and use it. Classic 
cryptographic algorithms have been widely used in both private information protection and 
private communication. 

There are drawbacks, however, in both classic SKC and PKC. Currently, the one-time 
pad is the only algorithm which has been proven secure, but it can not be used efficiently in 
practical applications because of difficulties in the key management. Although the protocols 
for quantum key distributions provide an efficient way, the problem of availability of the 
one-time pad cryptosystem has not been completely solved, because the classic SKC can 
not be used efficiently in large network systems. The classic PKC, which was proposed 20 
years ago, can provide high availability for the cryptosystem. However, since the classic PKC 
relies on the assumption of computational complexity such as the difficulty of factoring large 
numbers, up-to-date none of the existing classic PKC has been proven secure, even against 
an attacker with limited computational power. In additional, the rapid development of 
quantum computers [|T3j, [L4|, [H| increasingly endanger the security of current cryptosystems. 
Research shows for example that a quantum computer may easily break the well-known RSA 
algorithm . 

In this letter we introduce a quantum public key algorithm. The algorithm makes use 
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of maximally entangled states (MES) of pairs of spin-i particles and their correlation- 
preserving projection on appropriate directions. It begins with the generation of public 
and private keys via the correlation among MES, associated measurement operators and 
a string of unitary operators. Then the sender, Bob, encrypts his message by using the 
public key and a quantum logic gate operation which is governed by the key and yields the 
ciphertext. Finally, the private key is employed by Alice to decrypt this ciphertext. The un- 
conditional security and availability of the proposed algorithm are shown to be guaranteed, 
respectively, by the no-cloning theorem [jl6| and by the technology of the public key. 

The central and difficult problem of designing a public key algorithm is how to generate 
the secure key pairs, i.e., the public key and the secure private key. For the quantum key 
generation and distribution, many protocols have been proposed. However, in all previous 
schemes only symmetrical keys can be generated and distributed, so those previous protocols 
for quantum key generation and distribution can only be used in the SKC but are not suitable 
for the PKC. 

We here present a secure key distribution for our quantum PKC via using maximally 
entangled states of pairs of spin-| particles. The single-particle eigenstates are denoted 
|0) and |1) with respect to a measurement along an axis z, i.e. a z = |1)(1| — |0)(0|, and 
|±) = (|0) ± \l))/y/2 are the eigenstates of the spin operator along the corresponding x axis, 
i.e. a x = (|1)(0| + |0)(l|)/2. We consider the so called Bell states = (|00) ± 
and |^ ± ) = (|01) ± \10))/V2 and the additional MES given by \^) = (|0-) ± |l+))/V2 
and l^) = (|0+) ± 1 1 — )) / v2. We shall refer to all these two-particle MES as quantum 
channels. These states can be generated by applying unitary transformations on one of the 
particles of any of above MES, keeping the degree of entanglement unchanged. It will turn 
out beneficial to express the considered MES in the various bases offered by the sets of 
eigenstates of spin operators in the various directions, for example 

|$+) = |o,o) + |i,i) = |+, +) + |-,-), 

= |0,+) + |l,-) = |+,0) + |-,l), (1) 

where the normalization factors have been omitted. 

From equation (HD, it can be noted that, if the spin of one particle of the MES |$ + ) is 
being measured along the axis x or z, the state of the other particle is completely determined 
when its spin is also measured along the same axis. This can be generalized easily to 
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TABLE I: Measurement axis are indicated for each particle of a MES, along the columns, for 
obtaining maximum correlation or anti-correlation between the readouts of measurements. 



Quantum channel 






Particle 1 (M P ) 


O z 


O x 


o z 


Ox 


Particle 2 (Ms) 


o z 


X 


Ox 


Oz 



any axis n. For the state \<f) + ), we find however, that the particles must be measured in 
orthogonal directions. In table | it is shown how this situation is for all considered MES for 
measurements along the x and z axes. Thus, we learn from table | that a given quantum 
channel and the measurement axis for both particles are correlated, i.e. if two of them 
(including the channel) are known, the third can be determined. However, if only one is 
known, the other parameters remain unknown. Based on this feature we shall continue in 
constructing the public key Kp and the corresponding private key K$- 

Alice initiates the key generation by choosing on paper random strings of both quan- 
tum channels B = |6 2 ), • • • , |6 n )} and spin operators for one particle M. P = 
{mp,rrip,- ■ ■ , m™} with 6 {l^ 1 * 1 ), 1^), l^), 1^)} an d wt E {o z ,cr x } (later the quan- 
tum channels will arise from actual experiments). Following table | Alice is now in the 
position to determine the spin measurement axis with regard to the second particle, yielding 
M.s — { m s) m s>''' , m ™} ■ Then, Alice creates an additional string of unitary operators 
U = {U U U 2 ,--- ,£/„}, where £/< = cos^(|0)(0| + |1)(1|) +sin0, (|1)(0| - |0)(1|) with 0< be- 
ing a random number, which is secretly chosen by Alice. Combining M. p and U, Alice is 
then able to generate our public key Kp, 

K P = ,k%}, kl^U^miUi. (2) 

Thus, a spin measurement operator k l p = along an axis n may be publicly announced 
while the quantum channel and the measurement operator on the second particles of the 
quantum channels remain known solely to Alice. The corresponding private key K$ is then 
constructed via 

K s = {kl,k 2 s ,--- ,k:}, kl^Ur^U,. (3) 
where k\ = a^. for Bell states \bi), k\ = a h ± for the other employed MES and hf being an 
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orthogonal direction to n^. This relation among k l and k\ was derived like table | but with 
x and z replaced by the general directions hi and hf. 

The secret key K$ is dependent on the parameters Ais, B and U, so that we shall refer 
to it as a dynamical key. This becomes relevant in practical applications because it has 
been proven that dynamical keys are more secure than static keys. There is no way that 
the secret private key K$ can be determined with the mere knowledge of the public key 
Kp, because both the quantum channel and the unitary rotation still remain unknown to 
everybody but Alice. The private key K$ is kept secret by the holder while the public key 
Kp may be published like a telephone number. The use of the public key leads to a high 
availability for the proposed scheme. At the same time, the high secrecy of Ms and B leads 
to a high secrecy for the private key. We note that up to this point all procedures may be 
carried out on paper, while in what comes an actual experiment is required. 

With regard to the encryption and decryption procedures, Alice and Bob are imagined 
to share particles of a set of m identical MES |$ + ) with m > n at this stage. One particle 
of each MES is associated with Alice and one with Bob which form the one-particle strings 
V A and V Bl respectively. The labels A and B refer to Alice's and Bob's particles through- 
out the article. Then Alice and Bob choose respectively a fraction of particles (denoted 
by AV' A and AV B , respectively) from the sets V' A and V B to check on eavesdropping by 
using the method presented in Ekert's protocol for quantum key distributions Jfl. When- 
ever eavesdropping has occurred, it is necessary to establish again the string of quantum 
channels. Otherwise, the remaining entangled states may be arranged to have n states and 
form the set £>'. For convenience, we denote the remaing particles as Va = V'a — AV' A — 
{PaiPa-i " " " >Pa}> an d T^B — 'P'p, ~ ^P'b = {PbjPbj ' ' ' iPb}- Then Alice generates a set 
Ua = {U A i,--- ,U An } by randomly choosing U Ai G {I , H,a z , Ha z ,a x , Hcr x ,cr y , Hcr y } for 
% G {1, • • • , n} and thus creates B = {Uai\§ + ), • ■ ■ , UA n \& + )}- Here I is the identity oper- 
ator, H = (|0)(0| + |1)(1| + |1)(0| — |0)(1|) /y/2 is a Hadamard gate and we have neglected 
a global phase. As an example |^/ + ) = a XA \§ + ) and \(f> + ) = Ha\§ + ) where the subindex A 
indicates that the corresponding operator need be applied on Alice's particle. Then Alice 
has obtained the set B necessary to allow communication and to generate K$- 

We now suppose that Bob seeks to send a secret plaintext message ip M to Alice via 
the public key Kp. On orderly measuring the particles Vb by using the public key Kp, 
Bob obtains the string K B = {\k B ), \k%), ■ ■ ■ ,\k%)}, where \k B ) = G {|0 fti ), 
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are eigenstates of a^. The message ip is characterized by a string of qubits tp M = 
{\y P ), \(p 2 P ), ■■■ , \(p P )}, where \(p P ) = a^O) + for i G {1, 2, ■ ■ • , n}. Then Bob shall 
encrypt the message by applying a single qubit gate G;GG = {Gi, G2, • ■ ■ , G n } via 



where Gi = H if \k l B ) = \0fn) and Gi = Z [Z = a z is the Z-gate) in the other case if 
\k B ) = Thus the qubits |c l ) in the ciphertext C are strongly dependent on the public 

key. We note that the general encryption procedures, i.e. the general rule for choosing H— 
and Z— gates are equally publicly announced. 

The aim of the decryption algorithm is to decrypt the ciphertext C and to recover the 
plaintext (p M under the control of the private key. Since the private key K$ is dynam- 
ical for our algorithm, Alice needs to obtain the private key K$ prior to decrypting the 
ciphertext. Alice knows the public key K P as well as the secret parameters B and U and 
is thus enabled to calculate the private key K s by Eq. (|3]). Then, Alice is required to 
measure the string of particles Va using the private key Ks and obtains the secret string 
Ka = {\k\), \k\)i ' ' ' 1 \^a)} with k\ = k l s p A for i G {1, • • • ,n}. Then Alice is in the posi- 
tion to evaluate Bob's measurement outcomes Kb via Ka because of the correlation of the 
measurement operators and the knowledge of the secret quantum channels B and the set 
of rotation operators U. Say for example \bj) = \<f) + ) may be the j th quantum channel and 
k 3 p = a x the j measurement operator of the public key for a particular j e {1, 2, • • • , n}. 
Then from Eq. (1) we learn that \<p + ) = |+, 0) + |— , 1) in the basis of eigenstates of k 3 p = o x 
for Bob's particle, where the first and second entry of the MES refer to Bob's and Alice's 
particle, respectively. As a consequence the possible outcomes for Bob's measurement via 
k ] p = a x could be either k? B = |+) or k B = |— ). From table | Alice knows the correlated 
measurement operator k\ — a z . If her measurement k\ = cr z p A delivers |0), e.g., Bob's 
measurement must have resulted in |+), otherwise in |— ). Consequently, Alice can obtain 
Bobs set of qubit gates G and thus decrypt the plaintext via 



where G] G {G[,G 2 , ■ ■ ■ ,G^ n } are the adjoint operators of Gi as employed in Eq. (|j) for 
i G {1, • • • , n}. We note that the H— and Z— gates may be easily inverted. 

The above algorithm is illustrated in Fig. 0, which includes the encryption and decryption 
processes. The aim of the phases I and II is to establish the quantum channels between the 



d) = Gi\<j P ) 



(4) 



I^p> = G?I^> 



(5) 
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particles of the communicators and to carry out public and secret key-dependent measure- 
ments on Bob's and Alice's particles, respectively. The resulting states of the measurements 
determine the set of quantum logic gates G for the encoding and decoding procedures in 
phase III. Qubits as well as classic bits may be encoded and decoded cryptographically this 
way. We emphasize further that the plaintext tp M may be blocked for practical applications, 
when the number of bits of the plaintext exceeds that of the public key Kp. In this situation 
Bob is required to divide the plaintext into L blocks with length each of the public key n. 
Then he encrypts each qubit of the i th block for % 6 {1, 2, • • • , L} following the encryption 
procedure presented in Eq. If the whole plaintext or its last block are shorter than the 
public key, one should add some identity symbols, e.g. |0)'s, alike in classic communication, 
prior to encrypting this part of the plaintext. Similarly for the decryption, Alice repeats the 
decryption operation presented in Eq. (|5D for each block until all blocks have been decrypted. 

We move on with the analysis of the security of the proposed algorithm. In modern 
cryptography, the main characteristic is that the encryption and decryption algorithms are 
public, while the private key required for the actual decryption is secret. Thus the secrecy 
of the PKC depends completely on the secrecy of the private keys. As a consequence, an 
unconditionally secure algorithm requires it to be impossible for any attacker to obtain the 
private key neither directly nor through the public key, the cipher or any other insecurity of 
the algorithm. An attacker Eve may be an eavesdropper or a tamper trying to modify the 
private key and shall not be assumed here to be limited in resources in any way. 

The first considered strategy of an attacker shall be to obtain or change the private key 
through the public key. Since Kp is public, the attacker is obviously able to acquire it. The 
quantum channels, however, necessary to obtain Kg via Kp are nonorthogonal, e.g. satisfy 
|(0 + |$ + )| 2 0, which guarantees that any attempt to intervene the quantum channel by 
an eavesdropper Eve can be detected because of the noncloning theorem |16|]. Thus, the 
attacker, Eve, can not be part of the quantum channel without disturbing it. Moreover, 
according to table |, there is a probability of 1/8 for Eve of obtaining a single correct 
quantum channel. Thus, for an n bit message and the associated quantum channels, the 
probability for Eve of intercepting without being detected is (l/8) n . This number becomes 
increasingly small for longer messages but more importantly Eve may not know it even if 
she has found the correct quantum channels by accident. Those situations have been proven 
unconditionally secure (see first entry in || and references therein). In addition, due to 
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the random variables 6 i} there is no correlation between the public key and the private key. 
Thus without the knowledge of either B or one of M. p or U, no information about Kg is 
obtainable via Kp. 

Furthermore we consider the strategy, in which the attacker seeks to obtain the plaintext 
directly through the ciphertext. Since the ciphertext is created by the set of gates G which 
is controlled by Kp, this is required prior to finding the ciphertext. However, except for Bob 
and Alice, it is impossible for anybody to obtain the correct Kp because after Bob's measure- 
ment on Vp using the public key there are two possible cases for each qubit. It is even impos- 
sible to acquire the correct ciphertext for any attacker, because the ciphertext consists of two 
states {Z\ip P ),H\ip P }}, which obey the property | (tp P \Z^H\ip P ) | 2 = \ [1 + (a?$ - f3*oti)f. 
If a» and (3i are chosen to be real numbers, then \(ip P \Z + H\ifj p )\ 2 = 1/2, which means these 
states are nonorthogonal. Thus the ciphertext may not be identified like in the B92 pro- 
tocol [0. Accordingly, any qubit in the ciphertext is unknown to the attacker, i.e. by the 
no-cloning theorem, the attacker can not copy or know it. 

Unlike the classic PKC, whose security depends on the computational complexity as- 
sumption, the proposed algorithm does not require such an assumption. It is implemented 
completely by the natural laws of quantum mechanics, i.e. does not involve any intrinsic 
drawbacks. We add finally that usually the blocking treatment decreases the security of 
the algorithm in the classic cryptography, because this treatment leaks some useful informa- 
tion, such as the periodical or pseudo-periodical characteristics from the obtained ciphertext 
(consisting of classic bits), to the attacker. However, the blocking treatment in the proposed 
algorithm does not disclose any effective information, because no attacker is in the position 
to obtain the correct ciphertext as mentioned above. 

In conclusion, an available and secure public key algorithm has been proposed. The 
proposed algorithm encrypts the message using a public key and decrypts the ciphertext 
using a private key. The public key may be publicly announced and the private key is kept 
secret. Physically, the algorithm is implemented by using correlations on the measurement 
axis of particles of a MES. The use of the public key leads to a high availability, but it does 
not influence the unconditional security of the proposed algorithm. The availability and the 
unconditional security have been effectively united in the proposed algorithm. 
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FIG. 1: Diagram of the quantum public key algorithm. The procedures of the encryption and 
decryption are divided into three phases. In phase I a MES |<I> + ) is established between Alice 
and Bob, and then, Alice applies a random unitary operation from Ua on her particle of the 
entangled pair, which creates one of the eight quantum channels. In phase II Bob and Alice 
perform measurements on their particles using the public and secret keys Kp and Ks, respectively. 
For encryption and decryption in phase III, the key-dependent quantum logic gates in G and 
are applied on the plaintext ip M and the ciphertext C by Bob and Alice, respectively. 



